[jira] [Updated] (TS-2569) ssl options are ignored if ssl_multicert.config does not contain an entry with dest_ip=*

Wed, 26 Feb 2014 09:44:47 -0800 

     [ 
https://issues.apache.org/jira/browse/TS-2569?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ron Barber updated TS-2569:
---------------------------

    Attachment: TS-2569.patch

Incorporated Mr. Peach's comments.  This patch replaces the previous two.

"In {{ssl_index_certificate()}}, just do an early return if 
{{PEM_read_bio_X509_AUX()}} fails. This saves indentation and makes the logic 
cleaner."

   DONE

+In {{SSLInitServerContext}}, the {{bInitializeDefault}} variable is not 
necessary. The key criterion here is whether there is a certificate/key pair or 
not, and {{if (sslMultCertSettings.cert)}} expresses that directly.

    DONE.  I originally passed in a bInitializeDefault flag but then determined 
I could do a simple test and just never refactored that part.

"I'm confused about the part of the patch that deals with 
{{lookup->ssl_default}}, but that hunk doesn't apply to master, so maybe it 
will become clear after rebasing."

   Now uses {{ssl_store_ssl_context}} to initialize the default context which 
ensures all necessary flags get set in the default ctx.  



> ssl options are ignored if ssl_multicert.config does not contain an entry 
> with dest_ip=* 
> -----------------------------------------------------------------------------------------
>
>                 Key: TS-2569
>                 URL: https://issues.apache.org/jira/browse/TS-2569
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: Ron Barber
>            Assignee: Ron Barber
>              Labels: Review
>             Fix For: 5.0.0
>
>         Attachments: TS-2569.patch
>
>
> We discovered that the proxy.config.ssl.server.honor_cipher_order=1 setting 
> was not working correctly.  After investigating it was determined that if you 
> do not have a dest_ip=* in the ssl_multicert.config file then the server 
> cipher order setting will not be honored.
> ssl_multicert.config
> dest_ip=192.168.214.131 ssl_cert_name=cert.pem 
> records.config
> CONFIG proxy.config.ssl.server.cipher_suite STRING 
> RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!NULL
> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> Result (client selection is honored):
> % echo | openssl s_client -connect 192.168.214.131:443 -cipher 
> 'AES128-SHA:RC4-SHA' 2>&1 | grep 'Cipher is'
> New, TLSv1/SSLv3, Cipher is AES128-SHA
> % echo | openssl s_client -connect 192.168.214.131:443 -cipher 
> 'RC4-SHA:AES128-SHA' 2>&1 | grep 'Cipher is'
> New, TLSv1/SSLv3, Cipher is RC4-SHA



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to